Wall of Sheep Only Proves Acceptance of Risk

Participants at the SecTor security conference had their traffic sniffed in a kind of ‘Wall of Sheep’ stunt according to this article in the Register.

So the organisers have shown up some attendees to be security noobs or worse still completely ignorant, or have they?

Apparently users of the conference wireless network were informed that the network was being sniffed, but only by announcements between talks, which is probably when people were chatting or had their snouts in the buffet.

There was no notification given upon connection, and users were required to get a shared key from one of the conference booths so they could log on to the WPA protected network. Finally, the SSID was ‘Sector2009Secured’.  Of course it may as well have been ‘ThisIsCompletelySafe’ because it makes no difference what the network is called.

So all the indications were that the network was not being monitored/sniffed/hacked/exploited or whatever else perpetrators of such stunts may call it.

Now sure, security bods should know better than to completely trust a wireless network (even though this particular network was sniffed once the traffic was on the wire and not in the airwaves).  And some are quite rightly pissed off now that they know what the conference organisers were up to. But to expose those who still used the network as ‘sheep’ is a bit premature.

Remarkably, one of those to have his credentials exposed was actually the conference organiser Brian Bourne of Black Arts Illuminated. His Twitter credentials were sniffed and here is the point.  Participating in Web 2.0 comes with some inherent risks. Your personal info, your opinions, your very thoughts can all be exposed and your reputation put on the line. Most tech savvy people are aware of this, but they accept the risks because they are outweighed by the benefits.

So sure, the bods at the conference should have known the wireless network came with no guarantees of security, but maybe they did, and they used it anyway. Yes, those whose credit card details were sniffed should have known better, but those whose Tweets or email addresses got out were just getting on with it.  They were ‘fooled’ by the confidence tricksters who were running the network.  All this dirty little exercise proves is that even amongst security professionals the simplest attack vector is still through the user rather than the technology.

VeriSign Phishing Awareness Site Starts Well then Misses Point

A tweet from @Allen L. Kelly pointed me to a nice bit of phishing education from VeriSign.  www.phish-no-phish.com runs you through a challenging quiz where you are presented with two ‘identical’ screenshots and have to identify which is the phishing site.

Some of the sites were very difficult to differentiate and I even got one wrong because I was perhaps in too much of a hurry and didn’t spot a couple of minor spelling mistakes.  This though would reflect real life for most people so was an excellent way of demonstrating just how careful you need to be.

I got about half way through and was considering posting a link to the site on the corporate intranet as an awareness exercise for staff.

Then I was hit by the sales pitch.

After the fifth question a screen appeared explaining how Extended Validation (EV) SSL, triggers modern web browsers to display a green address bar when a genuine site is viewed.  Fair enough I thought. Users should be taught about this technology as it can help them identify genuine sites.

I was invited to continue the quiz to “see how easy it is to choose the correct site. Just choose the site that displays the green address bar.“

And yes it was easy after that. No more needing to look for dodgy addresses, missing padlocks or poor spelling and grammar.  As the tips pointed out:

The green address bar is a surefire way to identify the genuine Web site.

When you see the green address bar, there’s no need to scan for typo’s and misspellings.

Criminals can’t fake the green address bar.

Cool! No more need to take care, just watch for the green address bar and any site that doesn’t display it must be fake! And I know I can trust any site with a green address bar because criminals can’t fake it – yet.

You’ll have to indulge me here for while I believe technical solutions can help, I don’t believe they solve the problem.  As Mr Schneier says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

It’s a shame the VeriSign site lets itself down on this point. I know they’re trying to sell a technology solution but there should be a stronger emphasis on EV SSL being only part of an overall solution.  After all it’s not going to help users who are taken to a fake site from an email link – unless of course they’ve bought into the technology so completely that they only trust sites with green address bars. This is after all how the final five questions in the quiz run. You just click on the sites with green address bars.

But then you’d be missing out on all the fun on Facebook, Twitter, Gmail (Thawte i.e. Blue) etc.

Air New Zealand email: When it works it leaks

Shouldn’t Rob Fyfe be just as concerned that when his email finally works again it leaks like a sieve?

Yes ok it’s inexcusable that IBM left our national carrier without IT services for two hours or so.  And I’m sure that somewhere along the line human fallibility is at fault.  But if I worked in IT or HR at AirNZ I’d be trying to track down how the email got out.

Or maybe it was IBM that leaked that too? Disgruntled employee perhaps? You’d have to be either brave or stupid to be taking risks like that in this economic climate.

Are Bad Passwords Really Less Secure?

So the most common password in the now infamous 10,000 was 123456 followed closely by 123456789 (Kudos to Acunetix for the statistical analysis.)

The analyst, Bogdin Calin says in his post that:

a big majority of users still use very poor passwords

and a number of reporters have echoed this assertion, take Computerworld for example:

1234567 may not be a very secure password, but it’s popular on Hotmail

But hold on. Hotmail, Gmail etc have said that the breach was due to phishing, not hacking and so far I haven’t seen anyone saying anything to the contrary.

So really all we know is that people who are likely to fall for a phishing attack are also likely to have weak passwords. But even then there will be exceptions, like the person whose password was lafaroleratropezoooooooooooooo.

Hardly headline stuff.

Stop the Presses

Looks like there is a debate going on. Perhaps it was keylogging that got the passwords.  This seems more credible.